US12107831B2ActiveUtilityA1

Automated fuzzy hash based signature collecting system for malware detection

79
Assignee: PALO ALTO NETWORKS INCPriority: Sep 10, 2021Filed: Sep 10, 2021Granted: Oct 1, 2024
Est. expirySep 10, 2041(~15.2 yrs left)· nominal 20-yr term from priority
H04L 63/1416H04L 63/1425H04L 63/0245H04L 63/145H04L 63/0263
79
PatentIndex Score
1
Cited by
17
References
19
Claims

Abstract

Automated fuzzy hash based signature collection is disclosed. A set of candidate fuzzy hashes corresponding to a set of false negative samples is received. A false positive reduction analysis is performed on the received set of candidate fuzzy hashes to generate a reduced set of fuzzy hashes. At least a portion of the reduced set of fuzzy hashes is clustered into a fuzzy hash cluster. A signature for a family of malware is generated based at least in part on the fuzzy hash cluster.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A system, comprising:
 a processor configured to:
 receive a set of candidate fuzzy hashes corresponding to a set of false negative samples; 
 perform a false positive reduction analysis on the received set of candidate fuzzy hashes to generate a reduced set of fuzzy hashes; 
 cluster, by a progressive clustering module, at least a portion of the reduced set of fuzzy hashes into a fuzzy hash cluster, wherein the progressive clustering module also considers, during the clustering, a set of previously identified false negatives, wherein the set of previously identified false negatives: (1) previously survived false positive filtering, (2) were previously evaluated by the progressive clustering module, and (3) were not selected for signature generation; and 
 generate a signature for a family of malware based at least in part on the fuzzy hash cluster; and 
 
 a memory coupled to the processor and configured to provide the processor with instructions. 
 
     
     
       2. The system of  claim 1 , wherein the processor is further configured to filter out at least one fuzzy hash cluster based at least in part on a similarity match with an existing signature. 
     
     
       3. The system of  claim 1 , wherein performing the false positive reduction analysis includes performing a pairwise comparison between a candidate fuzzy hash included in the set of candidate fuzzy hashes and a fuzzy hash of a known benign sample. 
     
     
       4. The system of  claim 1 , wherein performing the false positive reduction analysis includes removing from consideration a fuzzy hash of a sample that is an infections virus. 
     
     
       5. The system of  claim 1 , wherein generating the signature includes selecting a representative fuzzy hash from the fuzzy hash cluster. 
     
     
       6. The system of  claim 1 , wherein generating the signature includes comparing the signature against a store of existing signatures. 
     
     
       7. The system of  claim 1 , wherein the generated signature is usable by a data appliance to determine whether a file is malicious. 
     
     
       8. The system of  claim 1 , wherein the processor is further configured to use the generated signature to detect a new malware family. 
     
     
       9. A method, comprising:
 receiving a set of candidate fuzzy hashes corresponding to a set of false negative samples; 
 performing a false positive reduction analysis on the received set of candidate fuzzy hashes to generate a reduced set of fuzzy hashes; 
 clustering, by a progressive clustering module, at least a portion of the reduced set of fuzzy hashes into a fuzzy hash cluster, wherein the progressive clustering module also considers, during the clustering, a set of previously identified false negatives, wherein the set of previously identified false negatives: (1) previously survived false positive filtering, (2) were previously evaluated by the progressive clustering module, and (3) were not selected for signature generation; and 
 generating a signature for a family of malware based at least in part on the fuzzy hash cluster. 
 
     
     
       10. The method of  claim 9 , further comprising filtering out at least one fuzzy hash cluster based at least in part on a similarity match with an existing signature. 
     
     
       11. The method of  claim 9 , wherein performing the false positive reduction analysis includes performing a pairwise comparison between a candidate fuzzy hash included in the set of candidate fuzzy hashes and a fuzzy hash of a known benign sample. 
     
     
       12. The method of  claim 9 , wherein performing the false positive reduction analysis includes removing from consideration a fuzzy hash of a sample that is an infections virus. 
     
     
       13. The method of  claim 9 , wherein generating the signature includes selecting a representative fuzzy hash from the fuzzy hash cluster. 
     
     
       14. The method of  claim 9 , wherein generating the signature includes comparing the signature against a store of existing signatures. 
     
     
       15. The method of  claim 9 , wherein the generated signature is usable by a data appliance to determine whether a file is malicious. 
     
     
       16. The method of  claim 9 , further comprising using the generated signature to detect a new malware family. 
     
     
       17. A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
 receiving a set of candidate fuzzy hashes corresponding to a set of false negative samples; 
 performing a false positive reduction analysis on the received set of candidate fuzzy hashes to generate a reduced set of fuzzy hashes; 
 clustering, by a progressive clustering module, at least a portion of the reduced set of fuzzy hashes into a fuzzy hash cluster, wherein the progressive clustering module also considers during the clustering, a set of previously identified false negatives, wherein the set of previously identified false negatives: (1) previously survived false positive filtering, (2) were previously evaluated by the progressive clustering module, and (3) were not selected for signature generation; and 
 generating a signature for a family of malware based at least in part on the fuzzy hash cluster. 
 
     
     
       18. The computer program product of  claim 17 , further comprising computer instructions for filtering out at least one fuzzy hash cluster based at least in part on a similarity match with an existing signature. 
     
     
       19. The computer program product of  claim 17 , further comprising computer instructions for using the generated signature to detect a new malware family.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.